Hello David -
>
> I'm doing some work for a client who uses radiator. I've looked
> through the docs, faq, but can't seem to find a way to do the
> following. Firstly, below is what the existing realm in the config
> file looks like.
>
>
> <Realm foo>
> AcctLogFileName %L/%c/detail
> AcctLogFileName /home/radius/acctlog.%Y%m%d
> AuthByPolicy ContinueAlways
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilAccept
> <AuthBy FILE>
> Filename /home/radius/raddb/users1
> </AuthBy>
> <AuthBy FILE>
> Filename /home/radius/raddb/users2
> AddToReply Service-Type=Framed-User,Framed-Protocol=PPP
> </AuthBy>
> <AuthBy FILE>
> Filename /home/radius/raddb/users3
> Identifier System
> Identifier Realm
> DefaultReply Framed-IP-Address=255.255.255.254
> AddToReply Service-Type=Framed-User,Framed-Protocol=PPP
> </AuthBy>
> </AuthBy>
> </Realm>
>
>
> What I'd like to achieve, is a fallthrough for users that don't
> have a username and/or password match in any of the preceeding
> password files, such that they will be authenticated anyway...then
> I want to use the cisco avpair stuff to ensure they can only get to a
> certain web page, which tells them what to do next.
>
> The question is, how do I create another AuthBy statement that will
> ensure that they authenticate, if they have failed to authenticate (for
> whatever reason) under any of the previous password files?
>
I think I would start by simplifying the above configuration, but I will need
to see what the users files are doing as well. If there is nothing special in
the users files, I would suggest something like this:
<AuthBy FILE>
Identifier Check-users1
Filename /home/radius/raddb/users1
</AuthBy>
<AuthBy FILE>
Identifier Check-users2
Filename /home/radius/raddb/users2
AddToReply Service-Type=Framed-User,Framed-Protocol=PPP
</AuthBy>
<AuthBy FILE>
Identifier Check-users3
Filename /home/radius/raddb/users3
DefaultReply Framed-IP-Address=255.255.255.254
AddToReply Service-Type=Framed-User,Framed-Protocol=PPP
</AuthBy>
<AuthBy FILE>
Identifier Check-Default
Filename /home/radius/raddb/default-users
</AuthBy>
<AuthBy GROUP>
Identifier Check-All-Users
AuthByPolicy ContinueUntilAccept
AuthBy Check-users1
AuthBy Check-users2
AuthBy Check-users3
AuthBy Check-Default
</AuthBy>
<Realm foo>
AcctLogFileName %L/%c/detail
AcctLogFileName /home/radius/acctlog.%Y%m%d
AuthBy Check-All-Users
</Realm>
You will need to check what use is made (if any) of the existing Identifiers in
the original configuration file.
The file "/home/radius/raddb/default-users" would contain something
like this:
# accept anything and return relevant cisco-avpairs
DEFAULT
cisco-avpair stuff
.....
> Also, is the "ContinueAlways" AuthByPolicy valid? I couldn't find any
> reference in the radiator docs for this...
>
Yes, its valid. Anything other than what is listed in the manual is considered
as "ContinueAlways". See section 6.19.1 in the Radiator 2.15 manual.
regards
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
